This website uses cookies. If you continue to use the website you agree to our use of cookies. Learn more

LP Magazine EU

ItemOptix-banner_V2.gif

DeArm_bannerV2.png

Loss_Prevention_Magazine_300x250__Nov_2023.jpg

Jan_2024.png

UK_Banner_ad_5-01.png

Web and Mobile Fraud

More Complex and Ever More Mobile 

The Impact of Evolving Web and Mobile Technologies on Retail Fraud Control

By Mark Johnson The Risk Management Group

As the separate tracks of online and mobile technology continue to evolve and converge, the challenges and the opportunities facing fraud control professionals are maturing at a similar rate.

New technologies, or the application of existing technologies in new ways, can bring both risks and rewards. Fraud control teams and investigators need to come to terms with an emerging new world order in which, not only consumers, but also autonomous devices, are responsible for some transactions, and where threats from other sectors such as banking and the unregulated payments space are increasingly relevant to anyone engaged in e-commerce.

The Deep Web

The phrase “Deep Web” refers to that part of the Internet that is not indexed by traditional search engines. Estimates vary, but it is commonly thought that the data held in Deep Web repositories is 500 times greater than that normally searched by conventional means.

The main shortcoming of traditional search engines is that they are almost totally dependent on hyperlinks and keywords to identify what data is available online. However, less than 10 per cent of the open-source data stored on the Internet is accessible in this manner and only about 27 per cent of that is in English. 

This means that if you run an English Google web search on any given topic, you are likely to be searching only 2.7 per cent of the available data online at best, and even then you are further constrained by the fact that search engines limit the amount of data they will actually bring back to you—one million “hits” does not mean one million results displayed in your browser. Try going past page 30 or 40 in the search results to see what I mean.

There is, however, tremendous potential fraud control value in the data that resides deeper in the web. The main types of Deep Web data include:

As a tool for performing fraud investigations or due diligence on suppliers and potential corporate customers, for credit referencing and other financial background checks, Deep Web tools are becoming increasingly important. 

There are already a number of such tools out there as, ironically, a simple Google search will reveal. However, prospective users should be aware that many of these are still very U.S.-centric, and you are always advised to try before you buy because most Deep Web search tools are offered as paid services.

Mobile Financial Services

Mobile Financial Services (MFS) represent the next generation of what has long been referred to as “mobile payments,” “mobile money,” or the “mobile wallet.” MFS sits on a spectrum between mobile money transfers between individual consumers at one extreme and full banking services, including lending and credit, at the other. As the service mix evolves, the offering from mobile operators, banks, or both in partnership is moving from left to right along that spectrum. 

What this means is that the SIM card inside the mobile device is rapidly becoming an electronic credit card that also happens to support phone calls, text messaging, multimedia streaming, and web browsing. It is the credit card application that is widely anticipated to become the most important of these functions and that is what makes MFS a particularly important issue for retail fraud control.

How fraud will manifest itself within mature MFS services remains to be seen, but experience suggests a number of possible scenarios. No doubt the fraudsters will already have ideas of their own and, as always, they will eventually provide us with practical demonstrations.

The following bullet points provide a summary of some of the top potential MFS issues:

These are only a few of the fraud and crime scenarios postulated by our team of subject-matter experts during a recent workshop on MFS risks. The future promises to be exciting and challenging for many fraud control professionals.

Unregulated Payment Services

Unregulated online payment services, such as Bit Coin and Web Money, have been growing in popularity in recent years. Although there are several reasons to fear the collapse of any one of these unregulated schemes, they do continue to operate and some of them have user bases measured in the tens of millions.

When a chain of payments or other financial transactions includes a mix of conventional payments, credit card transactions, MFS transactions, PayPal, and then unregulated currency transactions, the scope for money laundering or terrorist funding, as well as for bribery and corruption, is dramatically increased.

This scenario potentially puts retailers at risk in terms of regulatory or other penalties in the event that their systems and processes form a part of such a chain of transactions. For example, any business selling digital goods can potentially be exploited if those goods are transferrable; they represent a potential store of value that can be used to transfer the proceeds of crime or to fund future criminal attacks. If retailers have also opted to allow unregulated forms of payment on their sites, they might well be accused of a lack of due diligence.

While this might not yet be an immediate concern for most organisations, the notion that threats in the regulated financial services sector can increasingly start to spill over into the retail sector should not be ignored. Moves by some major retailers to establish their own financial services arms under the same brand only serve to reinforce the point that joined up thinking is needed in the face of convergent threats.

The Machine-to-Machine Revolution

Machine-to-machine, or M2M, services are those services in which the human user is removed from the loop. Examples abound and M2M transactions are projected to outstrip conventional mobile network transactions by a significant factor in the coming decade.

M2M transactions can potentially take many different forms. A refrigerator fitted with a mobile SIM card, for example, could autonomously order resupplies of selected products, such as milk, cheese, and eggs, from the computer systems of an online supermarket. These supplies might even be delivered in the near future by an unmanned robotic vehicle and their receipt will be “signed-off” by the fridge itself—the only human involvement being to drink the milk, slice the cheese, and fry the eggs.

These service models are closer than one might think. There are already cities in China in which robotic vehicles are being extensively tested. Package-delivery drones in the city of Dongguan in southeast China are being trialled at this moment. The U.S. military has a 2025 target for replacing 25 per cent of the existing vehicles in its fleet, both combat and logistics, with robotic ones. Most people reading this article will still be working, possibly still in a fraud control context, when we have all moved to a largely automated commercial and infrastructure model.

While machines are unlikely to commit deliberate fraud, they are exposed to the threat of hacking or takeover, as well as to technical errors. A computer bug in a fridge could trigger an order for 1,000 eggs, whereas a human user is highly unlikely to make such an error. Fraud control, customer services, credit and collections, as well as information security teams will all need to adapt to this new model and the challenges it throws up. They will also need to collaborate with one another with increasing effectiveness.

The Cyber-Crime Nexus

This brings us to cyber-crime. Fraud teams tend to push cyber-crime ideas to one side, viewing them as technical rather than operational threats that require the attention of highly technical teams.

In fact, cyber-crime needs to be understood as a two-stage process. The first stage is indeed technical, as it involves the “access” phase of the attack during which clever criminals gain entry to systems and/or access to data and software applications. This is the stereotypical form of cyber-crime presented in media and books. In future M2M devices and business models will represent one popular target of such attacks.

However, the second stage of any cyber-crime, which we call the “exploit” phase, is often more familiar to fraud control. It may not be technical at all. This is the phase in which the access deceitfully or illegally gained is used to extract value or to cause a loss—in other words, to commit a fraud. Actions can range from theft of data or funds to extortion, hijacking of systems, denial of service, and everything in between. 

It is rare to find a cyber-security team with the capacity, knowledge, and skills to address both the access and the exploit phases of a cyber-attack. A matrix management model is required and fraud control professionals are going to find that they are often best placed to evaluate exploits and to define the impact of and the evidence for each.

The Challenge and Opportunity

Retail fraud control cannot operate in isolation. It is increasingly the case that effective fraud control will demand that practitioners cover an expanding range of areas and possess a wide range of skills, from Deep Web “digital intelligence” gathering to cyber-crime investigations, and from financial services frauds to an awareness of robotics. 

This is not a challenge; it is an opportunity. Those who can grasp the fundamentals and prepare themselves for what the future holds are more likely to prosper in that future. Even if the future turns out differently than anticipated, they will invariably be able to adapt what they have learned and to put it to good use while others are still playing catch-up.

Fraud control is not a “silo.” It is a “horizontal” that must stripe across all parts of a retail operation; comprehending, assessing, addressing, and proactively preventing fraud risks whatever their shape or size. Effective fraud control, therefore, is a critical success factor that is assuming greater importance with every passing day. 

New technologies, or the application of existing technologies in new ways, can bring both risks and rewards. Fraud control teams and investigators need to come to terms with an emerging new world order in which, not only consumers, but also autonomous devices, are responsible for some transactions, and where threats from other sectors such as banking and the unregulated payments space are increasingly relevant to anyone engaged in e-commerce. 

The phrase 
“Deep Web” refers 
to that part of the 
Internet that is not 
indexed by traditional
search engines. 
Estimates vary, but it is commonly thought that 
the data held in Deep 
Web repositories is 
500 times greater than 
that normally searched 
by conventional means.

Retail fraud control 
cannot operate in isolation. 
It is increasingly the 
case that effective fraud control will demand that practitioners cover an expanding range of 
areas and possess 
a wide range of skills, 
from Deep Web “digital 
intelligence” gathering to cyber-crime investigations, and from financial 
services frauds to an 
awareness of robotics. 
This is not a challenge;
 it is an opportunity.

When a chain of 
payments or other 
financial transactions includes a mix of conventional payments, credit card transactions, 
MFS transactions, PayPal, and then unregulated currency transactions, 
the scope for money laundering or terrorist funding, as well as for bribery and corruption,
 is dramatically increased.

MARK JOHNSON is a former head of fraud control and subject-matter expert at several blue-chip companies. He is the founder and chairman of The Risk Management Group (trmg.biz) and the author of books on cyber-crime and modern history (markjohnsonbooks.com).

Leave a Reply



(Your email will not be publicly displayed.)

Captcha Code

Click the image to see another captcha.



iFacility CCTV and Alarm Installation